Commit c14303f7 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso Committed by Liu Jian
Browse files

netfilter: nft_flow_offload: reset dst in route object after setting up flow 

mainline inclusion
from mainline-v6.8-rc6
commit 9e0f0430389be7696396c62f037be4bf72cf93e3
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q8LQ
CVE: CVE-2024-27403

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9e0f0430389be7696396c62f037be4bf72cf93e3



---------------------------

dst is transferred to the flow object, route object does not own it
anymore.  Reset dst in route object, otherwise if flow_offload_add()
fails, error path releases dst twice, leading to a refcount underflow.

Fixes: a3c90f7a ("netfilter: nf_tables: flow offload expression")
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>

Conflicts:
	include/net/netfilter/nf_flow_table.h
	net/netfilter/nf_flow_table_core.c
[This is because we did not backport fa502c86, 8b9229d1,
7a27f6ab]
Signed-off-by: default avatarLiu Jian <liujian56@huawei.com>
parent 80a0681e

include/net/netfilter/nf_flow_table.h

+1 −1
Original line number Diff line number Diff line
@@ -207,7 +207,7 @@ nf_flow_table_offload_del_cb(struct nf_flowtable *flow_table, 
}



int flow_offload_route_init(struct flow_offload *flow,

			    const struct nf_flow_route *route);

			    struct nf_flow_route *route);



int flow_offload_add(struct nf_flowtable *flow_table, struct flow_offload *flow);

void flow_offload_refresh(struct nf_flowtable *flow_table,

net/netfilter/nf_flow_table_core.c

+13 −3
Original line number Diff line number Diff line
@@ -74,13 +74,23 @@ struct flow_offload *flow_offload_alloc(struct nf_conn *ct) 
}

EXPORT_SYMBOL_GPL(flow_offload_alloc);



static struct dst_entry *nft_route_dst_fetch(struct nf_flow_route *route,

					     enum flow_offload_tuple_dir dir)

{

	struct dst_entry *dst = route->tuple[dir].dst;



	route->tuple[dir].dst = NULL;



	return dst;

}



static int flow_offload_fill_route(struct flow_offload *flow,

				   const struct nf_flow_route *route,

				   struct nf_flow_route *route,

				   enum flow_offload_tuple_dir dir)

{

	struct flow_offload_tuple *flow_tuple = &flow->tuplehash[dir].tuple;

	struct dst_entry *other_dst = route->tuple[!dir].dst;

	struct dst_entry *dst = route->tuple[dir].dst;

	struct dst_entry *dst = nft_route_dst_fetch(route, dir);



	if (!dst_hold_safe(route->tuple[dir].dst))

		return -1;
@@ -101,7 +111,7 @@ static int flow_offload_fill_route(struct flow_offload *flow, 
}



int flow_offload_route_init(struct flow_offload *flow,

			    const struct nf_flow_route *route)

			    struct nf_flow_route *route)

{

	int err;